2020 prioritization of cybersecurity & legacy modernization … · 2019. 9. 1. · nancy...

Transforming How Texas Government Serves Texans

2020 Prioritization of Cybersecurity & Legacy Modernization ProjectsJuly 14, 2020


AGENDA

• Introductions• Background & Purpose• Content Overview• SPECTRIM Demonstration• Process & Submission• Q&A


INTRODUCTIONS

Chief Technology Office• John Hoffman | Interim State CIO, Chief Technology Officer• Krishna Edathil | Director, Enterprise Solution Services• Robert Benejam | Enterprise Architect, Enterprise Solution Services

Office of the Chief Information Security Officer• Nancy Rainosek | State Chief Information Security Officer• Matt Kelly | Governance, Risk, & Compliance Program Manager

Transforming How Texas Government Serves TexansTransforming How Texas Government Serves Texans

John HoffmanNancy Rainosek

Overview & Purpose


OVERVIEW

Section 2054.069, Government Code entitled Prioritized Cybersecurity and Legacy Systems Projects Report requires the Texas Department of Information Resources (DIR) to report on state agency cybersecurity projects and projects to modernize or replace legacy systems, as defined by Section 2054.571, Government Code to the Legislative Budget Board (LBB) no later than October 1 of each even-numbered year.

https://statutes.capitol.texas.gov/Docs/GV/htm/GV.2054.htm#2054.069

https://statutes.capitol.texas.gov/Docs/GV/htm/GV.2054.htm#2054.571


STATUTE

Sec. 2054.069. PRIORITIZED CYBERSECURITY AND LEGACY SYSTEM PROJECTS REPORT. (a) Not later than October 1 of each even-numbered year, the department shall submit a report to the Legislative Budget Board that prioritizes, for the purpose of receiving funding, state agency:

(1) cybersecurity projects; and(2) projects to modernize or replace legacy systems, as defined by Section 2054.571.

(b) Each state agency shall coordinate with the department to implement this section.(c) A state agency shall assert any exception available under state or federal law, including Section 552.139, in response to a request for public disclosure of information contained in or written, produced, collected, assembled, or maintained in connection with the report under Subsection (a). Section 552.007 does not apply to information described by this subsection.Added by Acts 2019, 86th Leg., R.S., Ch. 509 (S.B. 64), Sec. 12, eff. September 1, 2019.


PURPOSE

• The PCLS Project Questionnaire provides agencies with the opportunity to demonstrate the risks and potential impacts of not funding cybersecurity or legacy systems modernization projects.

• DIR will use the responses provided in the PCLS Project Questionnaire along with the Application Portfolio Management (APM) assessment responses of the business applications associated with the project in determining the project prioritization that will be sent to the LBB by October 1, 2020.


BACKGROUND

2014• Legacy Systems Study, HB 1890 (84R)

2016• 1st PCLS (Reported for 85R)

2018• 2nd PCLS (Reported for 86R)• APM Assessments w/ IRDR

2020• 3rd PCLS ( Reporting for 87R)• PCLS Codified


QUESTIONNAIRE COMPONENTS

• Part 1: General Information • Part 2: Associated Business Applications• Part 3: Cybersecurity Issues and Controls• Part 4: Legacy Issues • Part 5: Probability Determination • Part 6: Impact Determination

• Instructions Document

https://pubext.dir.texas.gov/portal/internal/resources/DocumentLibrary/2020%20PCLS%20Questionnaire%20Instructions.pdf


General InformationPart 1 – All Projects

Krishna Edathil


PART 1 – GENERAL INFORMATION

• 18-24 questions• Project Narrative• Project Type• LAR/Funding Information• Project Characteristics


PROJECT TYPECybersecurity Projects must possess at least one of the following criteria:

►The project’s primary purpose must be improving the organization’s cybersecurity or enhancing the organization’s capability to identify, detect, protect, respond, or recover from cybersecurity threats and vulnerabilities.

►The project must have clear objectives that will improve the organization’s cyber maturity as measured in the biennial information security plan.

Legacy Modernization Projects must possess at least one of the following criteria:►The project’s primary purpose must be modernizing the agency’s legacy systems as defined in Sec. 2054.571, Government Code. “Legacy system" means a computer system or application program that is operated with obsolete or inefficient hardware or software technology.

►The project must also be intended primarily to support continued systems currency through monitoring the agency’s application portfolio and IT infrastructure.

NOTE: Projects for the 87th legislature are now either one or the other.


Related Business ApplicationsPart 2 – All Projects

Robert Benejam


PART 2 – RELATED BUSINESS APPLICATIONS

A Business Application name is the high-level label used by an agency to easily identify a group of functions provided by one or more systems to

accomplish the specific business needs of the agency.

A Business Application is typically a combination of integrated hardware and software (including data and applications), internally developed custom

systems, commercial off the shelf (COTS) applications, and/or customized third-party systems.



IRDR Inventory applicationsDetermine applications to

assess

APMComplete application APM

assessments as determined

PCLSAssociate applications to

relevant project questionnaires

Information Resources Deployment Review

March 31

Application Portfolio Management AssessmentsPrior to PCLS Submission

Prioritization of Cybersecurity and Legacy Systems ProjectsAgency LAR Due Date



All applications associated with a PCLS project must… 1. have an APM assessment completed within the last four years and2. have the required fields completed in the application record

Directly Related• the business applications related to the project are directly impacted by the project

(replaced, modernized, consolidated, improved, etc.).

Indirectly Related • the business applications that receive a secondary benefit from the project.


Cybersecurity Issues & ControlsPart 3 –Cybersecurity Projects Only

Matt Kelly


PART 3 – CYBERSECURITY ISSUES & CONTROLS

Cybersecurity Issues• Narrative of the existing issues, challenges, and future considerations concerning

cybersecurity as it relates to the project.

Cybersecurity Controls• Narrative of the current safeguards/countermeasures in place that would lower the

probability or lessen the impact of security incidents if the project is not funded.

What’s the problem?

How’s it handled now?


Legacy IssuesPart 4 – Legacy Projects Only

Krishna Edathil


PART 4 – LEGACY ISSUES

• 14-16 questions• Modernization Benefits• Cost-Benefit Analysis & Methodology• Modernization Scope (servers & software)• System Characteristics


COST-BENEFIT ANALYSIS – BUSINESS CASE WORKBOOK


Probability & Impact Determination

Parts 5 & 6 –Cybersecurity Projects Only

Matt Kelly


PART 5 – PROBABILITY DETERMINATION7 questions• Threat Capability• Incentive• Control Effectiveness• Control Reliability• Threat Event Frequency• Asset Exposure

8 questions• Reputational Impacts• Operational Impacts• Physical Impacts• Legal Impacts• Financial Impacts

PART 6 – IMPACT DETERMINATION

Prob

abili

ty

Impact


SPECTRIM PCLS DEMOCollection Tool

Matt Kelly

Logging in

Navigation

Support Request

New PCLS Record

Delegating a Record

Looking up Business Applications

Return to Existing Record

Submitting a Record

Exporting a Questionnaire


SPECTRIM Accounts• Information Resources Managers (IRM) are responsible for completing PCLS

Questionnaires but may delegate to any active SPECTRIM users.

• Additional users can be requested and delegated to a PCLS questionnaire by the IRM (via support request or email [email protected]).

• Accounts must be active to receive system notifications.

• Inactive/Locked accounts cannot reset passwords themselves. If you don’t receive a pw reset email within 10 minutes, your account is probably inactive.

• Contact [email protected] to have inactive/locked accounts reactivated.

mailto:[email protected]



SPECTRIM Portal Login

Portal Login: https://dir.archer.rsa.com

PW reset only works for active accounts.

https://dir.archer.rsa.com/


PCLS Dashboard

Select the PCLS workspace tab on the top banner to access the dashboard. If you do not see the tab, you may have to select the vertical ellipsis on the far right to view additional workspaces.

If the workspace is not available, contact [email protected] to check if you have the appropriate access rights.



PCLS Questionnaire Record

Edit/View Mode Toggle

Delegate User Field LookupHelp Text Display Icon


Temporary Issue Using Chrome v83

NOTE: if using Chrome v83 there is a potential issue with values lookup fields. You may have to close out if you receive a blank lookup box and try again a couple times, or use a different supported browser – Firefox, IE/Edge.


Submission Process

Identify Applicable Projects

Determine Project Type

Identify Related Business

Applications

Ensure related applications have APM assessment < 4 years

Ensure required application fields

completed

Create PCLS Project Questionnaire

Determine who will fill out questionnaire

Determine if reviewer needed

Submit Questionnaire in

SPECTRIM

Submit PCLS Tracking Key with

LAR

Change SPECTRIM Status to “Submitted to

LBB”


Questionnaire Statuses• Not Started – initial status indicating that the PCLS record has been created, but no questions have been completed.

• In Process with Submitter – questionnaire record has been saved, but content has not been submitted for next stage. The submitter or delegate can come back to the record and update responses in this stage.

• Awaiting Business Application Assessment(s) – the questionnaire has business applications associated in Part 2 that do not meet the required criteria to be included in the project questionnaire. Associated applications must have the required application fields completed (e.g. Mission Critical) and must have an APM assessment completed on the application within the last 4 years. The agency will need to either complete the required APM assessment(s) or exclude applications that do not meet the requirements to submit the questionnaire.

• In Process with Reviewer – indicates that the questionnaire record has been finalized by the submitter and is awaiting review. This stage will only occur if the submitter or delegate assign someone to the optional reviewer field. The reviewer will need to review the questionnaire record to approve or reject the questionnaire back to the submitter.

• Rejected by Reviewer / Re-Finalize – indicates the optional reviewer has rejected the questionnaire. The submitter or delegate will need to revise the questionnaire content and re-finalize to submit for review again.

• Awaiting Submission to LBB – indicates that the PCLS questionnaire has successfully been submitted to DIR via SPECTRIM. The record will questionnaire content will become read-only at this time. Once the PCLS Tracking Key has been submitted via the agency’s LAR, the submitter will need to return to the PCLS questionnaire record and update the “Project submitted to LBB with its PCLS Tracking Key” field to “Yes” and populated the “Date Submitted to LBB” field.

• PCLS Tracking Key Submitted to LBB – indicates that the PCLS questionnaire submission has been fully submitted to both DIR and LBB. Most of the record will become read only, but users may still update information about the project including Funding Status and Project Status.

• Not Submitted – Archived – indicates that the PCLS record was created during a previous legislative session and was not indicated as submitted to LBB. The record is read-only and may not be updated. If users want to submit the request for the 87th legislative session, they will need to create a new PCLS record.


Assistance

• DIR will use the TX-IRM mailing list for primary communications.

• For general inquiries about PCLS content (e.g. question clarification, process questions) email [email protected].

• For support with the SPECTRIM portal (e.g. password resets, obtaining credentials) email [email protected] or open an archer support request from within the portal.

• PCLS Webpage: https://dir.texas.gov/View-Resources/Pages/Content.aspx?id=54



https://dir.texas.gov/View-Resources/Pages/Content.aspx?id=54


Thank Youdir.texas.gov

#DIRisIT@TexasDIR

2020 prioritization of cybersecurity & legacy modernization … · 2019. 9. 1. · nancy...

Documents